AMGEN INC - (AMGN)
10-K Filing Date: February 14, 2024
Item 1C.CYBERSECURITY
Risk Management and Strategy
Amgen has a multi-layered and iterative approach towards assessing, identifying, managing and mitigating risks from cybersecurity threats. The Company’s Digital, Technology & Innovation (DTI) function is designed to support our productivity, innovation and outreach globally through the quality delivery of information systems, solutions and services for our business and operations. The DTI function has a Cybersecurity & Digital Trust (CDT) team that assesses and reduces cybersecurity exposure, including by providing employees with training and resources to identify potential cybersecurity threats and implementing information technology security practices. The CDT team also monitors for cybersecurity threat activity and seeks to mitigate the impact from cybersecurity incidents by deploying information security engineers, system architects, analysts and cybersecurity specialists to provide monitoring, reporting and management of cybersecurity incidents.
To evaluate the progress of its activities, our DTI function uses various industry and regulatory frameworks as guides to assess the state of the Company’s cybersecurity program maturity and controls, including our organizational, people, physical and technological controls. The CDT team also conducts reviews and evaluations of our cybersecurity resilience program with Amgen’s Cybersecurity & Digital Trust Governance Council (which includes leaders from information security, compliance, regulatory affairs, manufacturing, audit, law and business development functions).
Our cybersecurity risk management program is considered by and integrated into our Company-wide Enterprise Risk Management program, and shares common methodologies, reporting channels and governance processes that apply across the Enterprise Risk Management program to that of other enterprise level risks (such as product development, safety and surveillance, financial and intellectual property risks). Regular evaluations are conducted of the greatest risks to our business and their underlying risk drivers as well as the associated mitigation activities, maturity and controls. This program is overseen by our Executive Vice President and Chief Financial Officer and guided by the Enterprise Risk Council, a cross-functional group of the Company’s business leaders representing key business functions that is chaired by our Chief Audit Executive. The results of the enterprise risk evaluations and the status and operation of the Enterprise Risk Management program are presented to our Board of Directors, which oversees the Company’s enterprise-level risks.
Further, our corporate audit function is responsible for assessing risk and testing whether, and the extent to which, our information security policies and practices are being implemented effectively within our business and by third party providers. Findings from such reports and related corrective action plans are shared with our CDT team, Company leadership, and the Audit Committee and Corporate Responsibility and Compliance Committee (CRCC) of our Board of Directors.
In addition to leveraging the Company’s own information technology resources, our Incident Response and Cyber Threat Intelligence teams engage, as needed, third-party cybersecurity risk assessors and consultants to assist in recognizing threats, identifying security vulnerabilities, and evaluating the impact of cybersecurity attacks and incidents when they occur. On a biennial basis, our DTI organization also engages external third-party experts to assess the Company’s cybersecurity control maturity across the organization and develops plans to address such experts’ recommendations.
Our CDT function has processes to oversee and identify the risks of cybersecurity threats associated with third-party service providers and monitors and works to mitigate the impact of cybersecurity incidents encountered by our third-party service providers. Upon becoming aware of cybersecurity incidents encountered by our third-party service providers, the CDT function’s Incident Response and Cyber Threat Intelligence teams are deployed to evaluate and mitigate the impact of such incidents on our business.
Despite our layered controls and cybersecurity efforts, the Company and its third-party vendors have experienced cyberattacks and information security vulnerabilities, and while such incidents have not had a material adverse effect on the Company, there can be no assurance that future cybersecurity attacks or incidents would not result in a material adverse effect on our business strategy, results of operations or financial condition. For examples of such matters and a discussion of the risks that we face, see Item 1A. Risk Factors—A breakdown of our information technology systems, cyberattack or information security breach could significantly compromise the confidentiality, integrity and availability of our information technology systems, network-connected control systems and/or our data, interrupt the operation of our business and/or affect our reputation. However, we have not identified risk from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition.
54
Governance
Our Board of Directors oversees an enterprise-wide approach to risk management, including risks related to information systems and cybersecurity, and each Board committee has primary risk oversight responsibilities aligned with its areas of focus. At each regular meeting of the Board, the Board receives and considers reports from each of its committees, and such reports provide additional detail on significant risk management issues as appropriate, including cybersecurity. The CRCC is the committee that has primary oversight responsibility for the Company’s information systems and management of cybersecurity and receives reports from our Senior Vice President and Chief Information Officer (CIO) and Chief Information Security Officer (CISO) that includes reviews of our information systems strategy, technology investments, cybersecurity risks and incidents, and third-party risk management, as well as an annual evaluation of the Company’s cybersecurity status. The Board’s Audit Committee has oversight responsibility of our internal controls, assurances and financial risks. The Audit Committee is provided with copies of materials presented to our CRCC by our CIO and CISO and receives reports from our CIO regarding topics including integration or implementation of new financial systems and key controls and governance designed to address cybersecurity risks associated with the use of such new financial systems.
Our management team, including our CIO and CISO, supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal information security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information systems environment.
Our CISO, who heads our CDT team and is accountable for the Company’s cybersecurity risk management program, joined the Company’s information systems organization in 2016, is a Certified Information Systems Security Professional and is certified in risk and information systems control. Previously, our CISO served in both leadership and operational positions as a cybersecurity professional in the U.S. government and was a cybersecurity consultant, providing a wide range of cybersecurity services to various U.S. government agencies and departments. Our DTI organization is led by, and our CISO is overseen by, our CIO, who has held roles of increasing responsibility within our information systems organization since 2001 and has developed his knowledge and skills in the cybersecurity area over the course of his career in information systems. Our inaugural Executive Vice President and Chief Technology Officer (CTO), effective as of the end of 2023, oversees our CIO. Prior to the establishment of the CTO role, our CIO was overseen by our Executive Vice President and Chief Financial Officer.
As leaders of the DTI organization and CDT function, respectively, the Company’s CIO and CISO are informed about and monitor significant cybersecurity threats and incidents through the Company’s internal cybersecurity reporting structure. Our CDT team is responsible for monitoring and detecting cybersecurity threats and incidents. Our CDT team, overseen by our CISO, is also responsible for the mitigation and remediation of cybersecurity incidents. When members of the CDT team detect a cybersecurity threat or incident or are made aware of a cybersecurity incident encountered by a third-party service provider, the discovery is communicated to the Incident Response team, which includes our CISO and other senior members of the CDT function. The Incident Response team evaluates the severity of the cybersecurity threat or incident and shares its findings with our CISO.
Our CISO and/or his senior team leaders, in addition to our CIO and CTO, also provide regular reports to executives leading our finance, compliance, law and human resources functions on potentially significant cybersecurity incidents and the progress made towards mitigation and remediation of those incidents. These leaders oversee reporting to our CRCC and Audit Committee, and reporting of such cybersecurity incidents are included in the course of regular meetings of such committees. Additionally, in appropriate circumstances, reporting of potentially significant cybersecurity incidents are made directly to the leaders of our CRCC and Audit Committee or directly to the Board of Directors outside of their regular meeting schedule. Further, in support of our internal controls, our CISO also reviews cybersecurity matters and trends with our accounting and law functions on a quarterly basis.
Information Systems Acquired from Horizon Therapeutics plc
On October 6, 2023, we completed our acquisition of Horizon. Horizon’s legacy information systems are currently maintained separately from Amgen’s preexisting information system infrastructure. After we are able to fully evaluate Horizon’s legacy information systems, protocols and practices, we plan to operationally integrate the legacy Horizon systems into our own, and these integrated systems will then be subject to Amgen’s cybersecurity risk management structure and strategy. While we integrate these systems, our CISO and CDT function are engaging in cybersecurity risk management activities, and any cybersecurity incidents detected on the legacy Horizon information systems are assessed, mitigated and remediated by our CDT function’s Incident Response and Cyber Threat Intelligence teams and reported in accordance with the governance processes detailed above. See Item 1A. Risk Factors—Our efforts to collaborate with or acquire other companies, products, or technology, and to integrate the operations of companies or to support the products or technology we have acquired, may not be successful, and may result in unanticipated costs, delays or failures to realize the benefits of the transactions and Item 1A. Risk Factors—A breakdown of our information technology systems, cyberattack or information
55
security breach could significantly compromise the confidentiality, integrity and availability of our information technology systems, network-connected control systems and/or our data, interrupt the operation of our business and/or affect our reputation.